Two additional configuration options are required when using the SecureThreadPoolServer. First, ssl_privkey must point to the server's private key. Second, ssl_certificate must point to the server's certificate.

TLSLite does not support a password protected private key unless additional libraries are used. Consult the TLSLite webpage for more information.

Typically a certificate would be purchased from an certificate authority, such as Thawte (http://www.thawte.com). However, since the suggested usage of the standalone server is for personal use, a self signed certificate may be appropriate. For more information on how to generate a server private key, and a self signed certificate, see the openssl HOWTO pages.

For example, to create the server's private key, run the following:

openssl genrsa -out privkey.pem 2048

To create a self signed certificate for the newly created private key, run the following:

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

moin.py then needs to be told about the generated files privkey.pem and cacert.pem. For the example above, the following lines would need to be added to moin.py:

Using a self signed certificate will cause your browser to generate a warning that it cannot verify the identify of the wiki server. This is because the certificate was not signed by a recognized certificate authority (CA). In order to get rid of this warning, you must purchase a certificate from a CA.

Serving Port 443

A secure standalone server may be run to listen on port 443, but this requires root to start the server. An alternative, is to use iptables to run a secure standalone server on an unprivileged port such as 8081 but redirect traffic through privileged port 443 (setting iptables requires root):